The code for add-apt-repository is in ppa.py from the software- properties package not the apt package.
** No longer affects: software-properties (Ubuntu Hardy) ** No longer affects: apt (Ubuntu) ** No longer affects: apt (Ubuntu Hardy) ** No longer affects: apt (Ubuntu Precise) ** No longer affects: apt (Ubuntu Lucid) ** No longer affects: apt (Ubuntu Natty) ** No longer affects: apt (Ubuntu Oneiric) ** No longer affects: apt (Ubuntu Quantal) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/1016643 Title: add-apt-repository downloads gpg key in an insecure fashion Status in GnuPG: Fix Released Status in gnupg package in Ubuntu: Fix Released Status in gnupg2 package in Ubuntu: Fix Released Status in software-properties package in Ubuntu: Fix Released Status in gnupg source package in Lucid: Fix Released Status in gnupg2 source package in Lucid: Fix Released Status in software-properties source package in Lucid: Fix Released Status in gnupg source package in Natty: Fix Released Status in gnupg2 source package in Natty: Fix Released Status in software-properties source package in Natty: Fix Released Status in gnupg source package in Oneiric: Fix Released Status in gnupg2 source package in Oneiric: Fix Released Status in software-properties source package in Oneiric: Fix Released Status in gnupg source package in Precise: Fix Released Status in gnupg2 source package in Precise: Fix Released Status in software-properties source package in Precise: Fix Released Status in gnupg source package in Quantal: Fix Released Status in gnupg2 source package in Quantal: Fix Released Status in software-properties source package in Quantal: Fix Released Status in gnupg source package in Hardy: Fix Released Status in gnupg2 source package in Hardy: Fix Released Bug description: add-apt-repository can add PPAs and automatically import the PPA gpg key. Unfortunately, it uses apt-key, which in turn uses gpg to download the key from a keyserver. gpg downloads keys from keyservers using the short key id, which is trivial to collide. It is therefore possible to either MITM the point where gpg downloads the key from the keyserver, or to simply upload a second colliding key to the keyserver. This can result in being able to MITM packages installed from PPAs. To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
